What is OS fingerprinting?Inferring a remote machines operating systemtype and version (Windows XP, Linux 2.4...) byunique characteristics of its packets andnetwork behavior.Useful for,•Network reconnaissance for pentests•Network monitoring for administration•Internal security audits
Existing tools•Nmap oActiveprobing of TCP, UDP, and ICMP oContains over 4,000 user submitted OS fingerprints•xprobe2 oMany probes for TCP and ICMP oSmaller database than nmap•p0f oPassive OS fingerprinter oComplete rewrite to version 3 in 2012
Problem with nmapNmap requires the following to do an accurate OS scan,•1 open TCP port•1 closed TCP port•1 closed UDP port•Response to ICMP queriesNmap scan report for 192.168.0.3All 1000 scanned ports on 192.168.0.3 are closedMAC Address: B8:C6:xx:xx:xx:xx (Unknown)Too many fingerprints match this host to give specific OS details
What about ARP?•Address Resolution Protocol•Primarily used to translate IP addresses intoMAC addresses on link local networks
Neighbor Cache•Sending an ARP request for every packetwould be a waste of network resources. Oncean IP address is resolved into a MAC address,it is cached (Linux kernel calls this the"neighbor cache").• Cache values timeout, but often withcomplicated timeout policies• Valid ARP packets will update the cache, butinvalid ARP packets should be ignored
ARP Fingerprinting?•Only tool that used ARP for any sort offingerprinting was a very minimalimplementation (arp-scan) that just sent a fewmalformed ARP requests and looked for replies• Finding no existing tools, I wrote my ownprototype fingerprinting tool for ARP, oNeighbor Cache Fingerprinter (NCF)
Fingerprinting NCF Response Elicitation•NCF works in any of the following conditions, oIf target responds to ICMP echo packets oNCF sends ICMP echo to target as probe packet oTarget will send back ICMP echo reply oIf target has a single closed TCP port oNCF sends a SYN as probe packet oTarget will send back RST packet oIf target has an open TCP port oNCF sends a SYN as probe packet oTarget sends back a SYN/ACK oIf target has a closed UDP port oNCF sends a UDP as probe packet to closed port oTarget will send back ICMP unreachable packet
Fingerprinting Number of ARP RequestsNCF: Probes target from spoofed IP addressTarget: Who has IP x.x.x.x (spoofed IP)?Target: Who has IP x.x.x.x (spoofed IP)?...• Windows XP: Gives up after 1 attempt• Linux: Gives up after 3 attempts• Android: Gives up after 1-2 attemptsNCF records the min and max retry attempts
Fingerprinting Cache entry timeoutNCF: Probes target with spoofed IP addressTarget: (ARP) who has x.x.x.x (spoofed IP address)?NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC)Target: Replies to probeNCF: Sends another probeTarget: Replies to probeNCF: Sends another probeTarget: Replies to probe... some time later, the entry in the targets ARP cache expiresNCF: Sends another probeTarget: (ARP) who has x.x.x.x?Record how long it took for the cache entry to expire
Fingerprinting Detecting flood preventionNCF: x.x.x.x is at x:x:x:x:x:80NCF: x.x.x.x is at x:x:x:x:x:81NCF: x.x.x.x is at x:x:x:x:x:82NCF: Send probe packetTarget: Replies (but to which MAC address?)If target has flood protection, it will reply to oneof the earlier MAC addresses. If not, it will replyto the last one seen (...82).
Fingerprinting Gratuitous ARP packets•A gratuitous or unsolicited ARP reply is an ARP reply forwhich there was no request•ARP fields get confusing (great for implementation diversity) oWhos the target IP of the message? Broadcast address? Zero? Specification actually says target IP should be the same as sender IP (looks like an ARP reply to yourself) oWhos the target MAC of the message? Broadcast (this is in the ethernet frame)? Same as the sender MAC address? Neither: it should be zero according to the spec. oEven the ARP opcode becomes confusing in the case of unsolicited ARP packets. Is it a "request" for other machines to update their cache? Or is it a o"reply", even though it isnt a reply to anyone?
Fingerprinting Gratuitous ARP packetsWe craft gratuitous ARP packets, changing fields to matchcommon implementation errors and oddities.Ethernet Frame Dst Address : Bcast or the MAC of our targetARP Target Hardware Address: 0, bcast, or the MAC of ourtargetARP Target Protocol Address : 0 or the IP address of our targetARP Opcode : REPLY or REQUESTNCF generates 36 different permutations of gratuitous ARPpackets, and records if each one was accepted or ignored by thetarget.
Fingerprinting Gratuitous ARP packetsNCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41NCF: Probes targetTarget: Replies to probe. If packet 2 was accepted and updatedthe ARP cache, response is to MAC address x:x:x:x:x:41. If itwas ignored as an invalid packet, response is to MACx:x:x:x:x:40.NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42NCF: Probes targetTarget: Replies to probe (to which spoofed MAC address?)...NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
Fingerprinting•So many techniques, so little time...•Correct Reply to RFC5227 (IPv4 AddressConflict Detection) ARP probe•Cache entry creation with gratuitous packet•Dynamic cache timeout policies
Fingerprinting Relatively small databaseWindows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4FreeBSD or OpenBSD, NetBSDAndroid 4.0.4, Android 3.2,Minix 3.2ReactOS 0.3.13Lexmark PrinterSonicWall OSWind River VxWorks3com NBX V3000 (IP Telephone System)Honeyd HoneypotScientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable ModemSMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
Neighbor Cache FingerprinterSource code, documentation, and issue trackergithub.com/PherricOxide/Neighbor-Cache-FingerprinterFind bugs and report them on github.Better yet, find bugs and submit patches.Email me fingerprints to email@example.comQuestions, comments, concerns?